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Bad Rabbit Ransomware Targets Victims 
through Fake Adobe Flash Updates 


Summary 


Beginning on 24 October 2017, a new self-propagating ransomware 
variant known as Bad Rabbit began infecting media organizations in 
Russia and critical infrastructure in Ukraine. Bad Rabbit bears 
substantial resemblance to NotPetya, including shared code, shared 
infrastructure, very similar ransom notes, encryption of both files and 
the master boot record (MBR), and the ability to self-propagate. Open 
source reporting indicates Bad Rabbit has targeted at least 15 
countries, including the United States, although the FBI is presently 
unaware of any successfully compromised US victims. However, the 
Bad Rabbit outbreak appears to be much smaller in scale, specifically 
targeting corporations, and has overwhelmingly impacted Russia and 
Ukraine. 
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Threat 


Bad Rabbit initially infects victims via a fake Adobe Flash Player update delivered 
through drive-by-download on compromised websites. Users visiting compromised 
websites are asked to install an update to Adobe Flash, at which point a malicious 
download delivers the malware dropper. Upon infection, victim files are encrypted and 
the victim is presented with a ransom note. In all known cases, the demanded ransom 
has been .05 bitcoins, or roughly $280. Some private sector cybersecurity researchers 
speculate the actors behind Bad Rabbit may have already had a foothold in the 
networks of initial victims as the initial infections were reported to have occurred 
simultaneously. 


Once installed, Bad Rabbit self-propagates across victim networks via Server Message 
Block (SMB) using Mimikatz, a hacking tool capable of changing privileges and 
recovering Windows passwords in plaintext, and a hardcoded list of commonly used 
default credentials to attempt to guess passwords. Furthermore, private sector analysis 
determined Bad Rabbit leveraged the EternalRomance exploit, one of two Shadow 
Broker-released exploits leveraged by NotPetya for lateral propagation. Unlike 
WannaCry and NotPetya, Bad Rabbit does not leverage the EternalBlue exploit. 


While WannaCry and NotPetya appeared to be indiscriminate, private sector 
cybersecurity researchers believe Bad Rabbit is more targeted, only encrypting victims 
of interest based on instruction contained in the script injected into infected websites. 


Recommended Steps for Prevention 

e Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 
2017. 

e Avoid downloading any software updates unless directly from trusted sources. 

e Ensure anti-virus and anti-malware solutions are set to automatically conduct 
regular scans. 

e Manage the use of privileged accounts. Implement the principle of least privilege. 
No users should be assigned administrative access unless absolutely needed. 
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hose with a need for administrator accounts should only use them when 





necessary. 

e Configure access controls including file, directory, and network share permissions 
with least privilege in mind. If a user only needs to read specific files, they should 
not have write access to those files, directories, or shares. 

e Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider 
using Office Viewer software to open Microsoft Office files transmitted via e-mail 
instead of full Office suite applications. 

e Develop, institute and practice employee education programs for identifying 
scams, malicious links, and attempted social engineering. 

e Have regular penetration tests run against the network, no less than once a year, 
and ideally, as often as possible/practical. 

e Test your backups to ensure they work correctly upon use. 


Recommended Steps for Remediation 
e Contact law enforcement. We strongly encourage you to contact a local FBI field 
office upon discovery to report an intrusion and request assistance. Maintain and 
provide relevant logs. 
e Implement your security incident response and business continuity plan. Ideally, 
organizations should ensure they have appropriate backups so they can restore 
the data from a known clean backup. 


Defending Against Ransomware 
Precautionary measures to mitigate ransomware threats include: 

e Ensure anti-virus software is up-to-date. 

e Implement a data back-up and recovery plan to maintain copies of sensitive or 
proprietary data in a separate and secure location. Backup copies of sensitive 
data should not be readily accessible from local networks. 

e Scrutinize links contained in e-mails, and do not open attachments included in 
unsolicited e-mails. 
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e Only download software—especially free software—from sites you know and 
trust. 
e Enable automated patches for your operating system and Web browser. 


Administrative Note 


This product is marked WRAN. Subject to standard copyright rules, WIGAN lS 
information may be distributed without restriction. 


For comments or questions related to the content or dissemination of this product, 
contact CyWatch. 
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